A few months ago, when I entered my email address on the Liberal Democrats’ website to say that I agreed with the statement

Girls should never be cut. We must end FGM

I hoped I wouldn’t subsequently receive spam emails promoting the party. However I had no way of knowing because there was no obvious statement explaining what would happen. But, furthermore, I had clearly not given specific consent to receive such emails.

Nonetheless, I did get them, and continue to do so – emails purportedly from Nick Clegg, from Paddy Ashdown and from others, promoting their party and sometimes soliciting donations.

I happen to think the compiling of a marketing database by use of serious and emotive subjects such as female genital mutilation is extraordinarily tasteless. It’s also manifestly unlawful in terms of Lib Dems’ obligations under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), which require specific consent to have been given before marketing emails can be sent to individuals.

On the lawfulness point I am pleased to say the Information Commissioner’s Office (ICO) agrees with me. Having considered my complaint they have said:

I have reviewed your correspondence and the organisations website, and it appears that their current practices would fail to comply with the requirements of the PECR. This is because consent is not knowingly given, clear and specific….As such, we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals.

Great. I’m glad they agree – casual disregard of PECR seems to be rife throughout politics. As I’ve written recently, the Labour Party, UKIP and Plaid Cymru have also spammed my dedicated email account. But I also asked the ICO to consider taking enforcement action (as is my right under regulation 32 of PECR). Disappointingly, they have declined to do so, saying:

enforcement action is not taken routinely and it is our decision whether to take it. We cannot take enforcement action in every case that is reported to us

It’s also disappointing that they don’t say why this is their decision. I know they cannot take enforcement action in every case reported to them, which is why I requested it in this specific case.

However, I will be interested to see whether the outcome of this case changes the Lib Dems’ approach. Maybe it will, but, as I say, they are by no means the only offenders, and enforcement action by the ICO might just have helped to address this wider problem.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

8 responses to “ICO finds Lib Dems in breach of ePrivacy law”

The ICO has found it necessary to serve PECR enforcement notices on most of the major parties (including the LibDems) in the pre-CMP days. Given that they generally only use Enforcement Notices when the organisation won’t voluntarily comply, the idea that a polite letter will make much of a difference is very unconvincing.

What we do
The ICO is a UK independent regulatory authority reporting directly to the UK Parliament. The Commissioner enforces and oversees the Privacy and Electronic Communications Regulations 2003 (PECR). Our aim is to educate organisations to help them understand what the PECR require. We also gather intelligence from the concerns that are reported to us.

The PECR are concerned with the way organisations send marketing material by fax, text, email and telephone. Marketing can include the promotion of goods, services, aims or ideals.

Next steps
As the basis of your complaint concerns consent and unsolicited marketing emails, we will investigate this matter under the PECR.

From the correspondence you have provided, you are concerned that the organisation has failed to obtain valid consent from individuals prior to sending any electronic marketing.

I have reviewed your correspondence and the organisations website, and it appears that their current practices would fail to comply with the requirements of the PECR. This is because consent is not knowingly given, clear and specific.

As such, we have written to the organisation to remind them of their obligations under the PECR and ensure that valid consent is obtained from individuals.

We have also asked the organisation to ensure that your personal information is suppressed from their marketing lists. This should take no longer than 28 days and should ensure that they do not email you again.

I note that you have requested that we exercise our enforcement function under Regulation 32 of the Privacy and Electronic Communications Regulations 2003.

Each concern that is reported to us is considered for enforcement action. You do not need to make a separate request for this.

However, enforcement action is not taken routinely and it is our decision whether to take it. We cannot take enforcement action in every case that is reported to us.